Emirates dinged for slipshod online data privacy practices

Fly the insecure skies

Updated International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.

Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.

The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.

The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.

Emirates and Turkish Airlines lift laptop ban on US-bound flights

Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.

The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.

And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.

In an email to The Register, Modi described several scenarios by which such information could be abused:

1. The third-party companies themselves might use the data. Even if the privacy policy currently states they do not use it right now, policies change all the time.

2. Malicious users inside the company might use this data for identity theft.

3. In case these companies get hacked, and the users' data is compromised, an entity outside that company will also have access to this sensitive information.

4. If the link which the user opens over HTTP, which it is in case of Emirates.com, then any adversary capable of monitoring the network will have access to the same information.

These are, however, theoretical concerns; there's no indication that this data is presently being abused.

Modi says he identified the issue and raised it with Emirates via social media back in October 2017. At the time, he maintains, the web app passed personal information through hidden form fields that were nonetheless accessible as plain text.

The web app received a subsequent revision that eliminated the problem, but the Emirates mobile app, he insists, now exhibits the same issue.

"For Emirates, yes the issue still persists," he confirmed to The Register.

Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.

Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.

"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.

Modi would like to see Emirates limit the use of third-party tracking code that puts privacy data at risk.

"Emirates has the control of their website and what the website shares with third party services," he says. "It is this control that needs to be exercised to limit the leakage of user information."

Emirates did not immediately respond to a request for comment. ®

Updated to add

Emirates have sent in the following statement:

We are aware of the article posted by Mr Konark Modi on 2 March 2018. We take all claims of security or privacy breaches seriously and have conducted a thorough review of our sites and systems. We can confirm that none of the security vulnerabilities highlighted in Mr Modi’s article will allow a breach (unauthorized access) of personal data on our website or mobile app.

Whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented. The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate. We are committed to protecting the privacy of our customer’s personal data. Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on emirates.com.

In response to the statement issued by Emirates, Modi said, “This statement is not just vague but is also factually incorrect.”